flowProxy
flowProxy Technical Insight
aurologic flowProxy offers protection against application specific DDoS attacks, such as http floods. It is a reverse proxy with inbuilt challenge response, logging and TLS termination capabilities, acting as web application firewall (WAF) for customers websites.
Beside of WAF capabilities, flowProxy provides load-balancing and request interception, in order to protect and scale customer websites easily.
How it works
Customers just need to turn on aurologic flowProxy. Based on network level routing, ingress traffic is redirected to flowProxy, intercepting requests on tcp-port 80, 443 and 8443. Requests need to pass challenge response methods such as Javascript proof-of-work, Button Click (user interaction) or Captcha. Real visitors which can pass challenge response methods, being forwarded to the real customer server, likely as done with a reverse proxy.
Bots or bad behaving visitors are being rate-limited, leaving decent room to carry out challenge response interaction. Ratelimits are applied on network level of the flowProxy infrastructure through eBPF/XDP, allowing to stop TLS handshake floods, request floods and protocol violations with minimized processing overhead.
Real Visitor Handling
Requests from real visitors are being proxied like the original request. Those requests are now being sent from the flowProxy infrastructure, which requires to avoid rate-limiting on the origin server as well as to retrieve the real visitor ip-address from X-Forwarded-For as well as X-Real-IP header set. It is also important to preserve the X-Forwarded-For and X-Real-IP header when running another load-balancer between flowProxy and the real client, otherwise the middle-man load-balancer may overwrite the header contents with the flowProxy originating ip-address.
Challenge Response
Customers can define their own challenge response templates. By default, the following methods are available:
- bypass -> Passes the request without further challenge response logic
- javascript -> Javascript based PoW (Proof-of-Work) requiring execution of mathematical calculations
- button -> Requires button click like a real visitor would do
- captcha -> Captcha based challenge response with an image displayed, matching input needs to be provided
URI Path specific configuration
In order to apply URI Path specific black- and whitelist, customers can define their own RegEx based configuration through API and customer area. The feature allows to rule requests based on their characteristica.